fix: access-control-allow-methods header naming and value

internal/server/middleware.go

@@ -7,7 +7,7 @@ import "net/http"
 func enableCORS(handler func(w http.ResponseWriter, r *http.Request)) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("access-control-allow-origin", "*")
-		w.Header().Set("access-control-allow-method", "post")
+		w.Header().Set("access-control-allow-methods", "options, post")
 		w.Header().Set("access-control-allow-headers", "authorization, content-type")
 		w.Header().Set("access-control-max-age", "3600")
 		if r.Method == http.MethodOptions {

internal/server/middleware_test.go

@@ -31,8 +31,8 @@ func Test_enableCORS(t *testing.T) {
 		if w.Header().Get("access-control-allow-origin") != "*" {
 			t.Errorf("invalid access-control-allow-origin")
 		}
-		if w.Header().Get("access-control-allow-method") != "post" {
+		if w.Header().Get("access-control-allow-methods") != "options, post" {
-			t.Errorf("invalid access-control-allow-method")
+			t.Errorf("invalid access-control-allow-methods")
 		}
 		if w.Header().Get("access-control-allow-headers") != "authorization, content-type" {
 			t.Errorf("invalid access-control-allow-headers")